30
Formal process:
- Measurable
- Repeatable
Detection and Response:
- Log analysis
- User behavior (access logs)
- Virtual machine scanning
- Data loss prevention
Risk assessment:
- IT risk (applications and projects)
- Facility risk assessment
- Automation
Governance:
- Governance committees
- Change management
- Identity access governance
Strategic planning
Business alignment:
- Integrate controls with business
process
Key risk indicator mapping:
- Leading indicators of risk that
influence business decision making
Behavior shaping:
- Reduce technical controls
Ethical hacking
Risk management:
- Enterprise risk
- Accountability
- Scenario risk assessment
Perimeter (network security):
Firewalls
Intrusion prevention
Access controls:
User provisioning (role-based)
Access management (two-factor)
Vulnerability management:
Patching (45-day cycle)
Incident response
Security awareness:
Training (annual)
Policy
Organization:
Staff (roles)
Skills (certifications)
Compliance:
Audit
Requirements management
E-discovery
A layered system of security controls provides the
best protection
Foundation Controls
Good Controls
Advanced
Maturing Security Strategy